Clever Tactics Against Piracy

Jay Rolls <jrolls@frg.bbn.com>Fri, 29 Jan 93 14:16:11 +0100

I thought the info-mac readers would find this article interesting.....
Jay Rolls, Stuttgart, Germany <jrolls@bbn.com>
[sent to RISKS by gio@DARPA.MIL (Gio Wiederhold) via many others]
COMPUTER CHEATS TAKE CADSOFT'S BAIT
Employees of IBM, Philips, the German federal interior ministry and the
federal office for the protection of the constitution are among those who
unwittingly 'turned themselves in' when a German computer software company
resorted to an undercover strategy to find out who was using illegal copies of
one of its programs.
Hundreds of customers accepted Cadsoft's offer of a free demonstration program
that, unknown to them, searched their computer hard disks for illegal copies.
Where the search was successful, a message appeared on the monitor screen
inviting the customer to print out and return a voucher for a free handbook of
the latest version of the program. However, instead of a handbook the users
received a letter from the Bavarian-based software company's lawyers.
Since the demonstration program was distributed last June about 400 people
have returned the voucher, which contained coded information about the type of
computer and the version of the illegally copied Cadsoft program being used.
Cadsoft is now seeking damages of at least DM6,000 (ECU3,06E2) each from the
illegal users.
Cadsoft's tactics are justified by manager Rudolf Hofer as a necessary defence
against pirate copying. The company had experienced a 30% drop since 1991 in
sales of its successful Eagle design program, which retails at DM2,998. In
contrast, demand for a DM25 demo version, which Cadsoft offered with the
handbook of the full version, had jumped, indicating that people were
acquiring the program from other sources.
Although Cadsoft devised its plan with the help of lawyers, doubts have been
raised about the legal acceptability of this type of computer detective work.
In the case of government offices there is concern about data protection and
official secrets. The search program may also have had side-effects that
caused other files to be damaged or lost. Cadsoft is therefore preparing
itself for what could be a long legal battle with some customers. So far it
has reached out-of-court agreement with only about a quarter of those who
incriminated themselves.

Educational computer game banned in Milpitas CA

RISK in paragraph three.
The following appeared in the _Milpitas Post_ Vol. 37 No. 2, January
13, 1993, of Milpitas, CA on page 1.
Superior Court ruling upholds `Wizards' ban, by Christina Kirby
A SUPERIOR court judge has upheld the Milpitas Unified School
District's 2-year-old ban on the Wizards spelling game. The ruling was
handed down last Friday.
The computer game was banned in 1990 by the school board following
complaints from parents that it promoted satanic worship.
Teachers, seeking to reverse the ban, argued that it infringed on
their rights to choose teaching materials, and broke laws prohibiting
state agencies, such as school districts, from supporting any religion.
The court ruled that the school district had acted within its authority and
had not violated the California constitution by banning the game.
"With all due respect, we don't agree with the court's decision," said
Catherine Porter, an attorney representing the teachers. "Based on the
California constitution, we do believe that we provided significant evidence
to show that the purpose and effect of the ban was religious and not secular."
Pleased by the ruling, Milpitas Superintendent Jack Mackay said, "We
always thought the board was acting within its authority to maintain a
secular environment."
Porter said Monday that the teachers would be discussing whether or
not to appeal the decision.
shaun@octel.com

"Two charged with computer fraud in credit scam"

Source: St Pete Times, 1/26/93, pg 3B, Tim Roche
A personnel supervisor "who knew the ins and outs of a computer system that
managed charger accounts for thousands of jewelry store customers along the
Eastern Seaboard" and a former co-worker worked a scam using the supervisors
ability to alter the computers database, illustrating the risks of:
- inadequate controls within the computer system
- retail store policy shortcomings
- the procedure by which they let users who have had their card stolen
continue to charge purchases
- flaws in the system accountability
"Using computer passwords of other employees, detectives said, Benjamin
Francois was able to alter customer records and list a credit card as lost or
stolen. Then his friend, John Wise, would appear at a jewelry store and claim
to be the customer whose credit card was missing. By store policy, Wise only
was required to give sales clerks a name, Social Security number and a secret
code that would allow customers whose cards were lost or stolen to continue
charging merchandise. "If the clerk asked to see some identification, Wise
would explain ... he had no photo to prove he was the customer, but he would
give the clerk the secret code Francois had obtained from the computer."
Affected between June 2nd and last September were:
- jewelry stores in Tampa, Orlando, Palm Beach and Altamonte Springs FL
- Jewelers Financial Services, which ran accounts for:
. Zales Jewelers, Bailey Banks & Biddle Jewelers, Gordons Jewelers
Francois was able to delete the references to stolen or lost cards on the
charge accounts after the purchases were made. The two men were arrested
after a tip in November led police investigators to "verify the mainframe
database" records.
Of particular interest: system controls allow Francois to manipulate the
database, then hide the activity so that, apparently, the real customers were
not billed. If the report is correct, it was the November tip and not any
system controls that revealed the thefts. Apparently the charges were allowed
to fall into some sort of accounting black hole.
Norm deCarteret Advantis - Tampa FL

Bible belt broadcast bungle

Peter J. Scott <pjs@euclid.Jpl.Nasa.Gov>Thu, 28 Jan 93 08:31:21 -0800

Heard this on the radio this morning: a major Christian radio network is
alerting its member stations to check their latest shipments of religious
compact discs before airing them. It seems that some other CDs were
mislabelled at the factory and shipped along with the religious ones.
Unfortunately the itinerant CDs were by the Dead Kennedys. A spokesman for
the radio network said, "This is what happens whenever people get around
machines." The CBS newsreader, with masterful understatement, said, "The Dead
Kennedys CDs included songs such as, `I Kill Children,' which some Christian
listeners may not find inspirational."
Peter J. Scott, Member of Technical Staff | pjs@euclid.jpl.nasa.gov
Jet Propulsion Laboratory, NASA/Caltech | SPAN: GROUCH::PJS

Phone Fraud numbers

John Mello <jmello@igc.apc.org>Tue, 2 Feb 93 14:31:12 PST

The major telecomm carriers are reporting that 1992 was a bad year for the
phone baddies intent on ripping off phone service from corporations. Sprint
reported fraud claims by its business customers dived 96 percent, to $670,000,
or $1,350 per incident compared to an average loss of $35,000 in 1991. AT&T
says fraud claims made to it dropped about 88 percent and MCI says it has also
seen a drop in claims. In other words, 1992 losses were a far cry from the $1
billion to $3 billion a year claimed as losses in past years. The major reason
for the drop: customer awareness

Re: Clinton Transition Team E-Mail

James Barrett <barrett@forge.gatech.edu>Thu, 28 Jan 1993 18:12:46 GMT

> Mail Delivery Failure. No room in mailbox.
This is because Jock Gill who handles Email for Clinton was at the
inauguration and not near his computer for a week. The link is back up and
generating *lots* of mail (press releases) from Clinton.

The issues surrounding the topic of possible negative health effects from
cellular phone use are going to be among the hottest (no pun intended) in
coming years.
There are no definitive studies that fully address the complexities of the
situation, especially in view of increasing circumstantial evidence that
non-ionizing radiation may have more biological effects than previously
thought.
It's true that walkie-talkies, ham radios, etc. have been around for
many years--but there are some potentially significant differences
with cellular phones:
1) Most walkie-talkie, police radios, ham radios, etc. are operated
in a push-to-talk mode. You're only transmitting when you're
actually talking. Cell phones transmit continuously, so exposure
is continuous during calls.
2) Cell phones operate at higher frequencies than most common
service or ham radios (common hand-held ham radios, for
example, usually go no higher than the 440 Mhz band. Cell
phones operate in the 800-900 Mhz region, which puts them
just about in the microwave range.
Recently there have been a number of concerns raised about microwave exposure
to the operators of police radar units. We're talking longer exposure and
higher frequencies in the radar case--but nobody knows where the "thresholds"
might be for exposure to possibly show effects in some persons. The bottom
line is that the higher the frequency, the more "energetic" the effects.
In at least a couple of the cases of persons accusing cell phones of causing
tumors, part of their evidence is the shape and direction of tumor
growth--they apparently are aligned with the antenna and growing inward from
the outside. Of course, this says nothing about cause and effect--but it has
to at least be considered.
It's true that cell phones use quite low power. But a little power packs a
bigger "punch" at these frequencies, and with the antenna right next to the
head the *field strength* (which matters more than the absolute power) can be
quite high (inverse square law applies).
Concerns about health effects from hand-held radios have been around for a
long time. But with the millions of people using continuously transmitting,
ultra high frequency units who never did before, some new dimensions are added
to the picture--and they are definitely worthy of serious consideration.
By the way, not all cellular systems are created equal when it comes to
radiation exposure. The new CDMA digital system, for example, throttles back
the power from the portable unit depending on how close you are to the cell
site--the site transmitter sends a signal back to the handheld controlling the
power level. The main reason for doing this is to drastically increase
battery life, but it has the additional benefit of reducing overall exposure
as well.
--Lauren--

"We've had walkie talkies (ok - two way radios) for years with
no perceivable or admitted risk to the health of users."
Not so. Long term (over 20 years) use of two-way radios by police officers
has been linked to higher incidences of glaucoma. This is one reason why the
transmitter unit is now worn on the belt, with the microphone pinned to the
lapel.
(This means that the transmitter irradiates the gonads instead of the
eyeballs ... a possible new risk?)
-=- Andrew Klossner (andrew@frip.wv.tek.com)
(uunet!tektronix!frip.WV.TEK!andrew)

CERTIFICATION-PROPOSED US LEGISLATION

>From Alan Underwood, School of Information Systems, Queensland University of
Technology. e-mail alanu@snow.fit.qut.edu.au
I am seeking assistance in obtaining copies of any current US/European
legislation (proposed or enacted) for the certification of computing
professionals. Also, I have seen some reference to 6(?) US States considering
such legislation. I would like to know which States so that I can visit them
on an upcoming sabbatical.
Any assistance would be appreciated.

Erratum: GAO ordering number

Sorry, folks — human error strikes again. GAO's distribution center
is at (202) 275-6241. The warehouse is in Maryland, but they don't
take the orders there. Mea culpa, mea culp, mea maxima culpa.
[stu@national.mitre.org (Stuart Bell) notes FAX (301) 258-4066,
no charge for single copies — just provide all info.]
[and later from James Paul:]
Well, it's worse than I thought. GAO has been migrating to the new Government
telephone system and apparently this has caught up with their ordering
operation. When you dial (202) 275-6241, you are now directed to call (202)
512-6000. At the same time the message says you will automatically be
switched over to the new number. I really apologize for all the confusion.
Me, I just get 'em directly.

The Federal Criteria for Information Technology Security review

nicki lynch <lynch@csmes.ncsl.nist.gov>Fri, 29 Jan 93 16:08:16 EST

The **PRELIMINARY DRAFT** of the U.S. Federal Criteria for Information
Technology Security (FC) (which will eventually replace the "Orange Book") is
available on-line. The files are located on both the NIST Computer Security
Bulletin Board and on the NCSC's DOCKMASTER computer system. DOCKMASTER has
the FC available in UNIX compressed postscript format, while the NIST BBS has
the FC available in PKZIP postscript format. When printed out, both volumes
of the document total approximately 280 pages double-sided. By the first week
of February, the FC (without the figures) should be available in ASCII format
at both sites. The figures will also be available individually in postscript
form.
What follows are instructions on how to download the files from both sites,
how to register your name for announcements, and how to send in comments.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TO DOWNLOAD THE FILES FROM DOCKMASTER:
The files can be found on DOCKMASTER in the directory:
>site>pubs>criteria>FC
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TO DOWNLOAD THE FILES FROM NIST'S BBS:
Volumes 1 and 2 of the FC can be accessed through the Internet via
anonymous ftp. To download, ftp to csrc.nist.gov or to 129.6.54.11.
Log in as "anonymous" and use your Internet address as the password. The FC
postscript files are in directory /bbs/nistpubs. The files are fcvol1.ps.Z
and fcvol2.ps.Z, for volumes one and two respectively. Both of these volumes
have been ZIPped using PKZIP. The PKZIP program is available in /bbs/software
should you need to download it.
REGISTERING YOUR NAME:
When you receive an electronic copy of the draft FC, please send us
you name, mailing address, telephone, and e-mail address to the e-
mail address listed below and state that you have an electronic
copy of the FC. If you distribute the document to additional people
in your organization, please send us the same information on those
people as well. We will put the names into our database for any
further announcements, meeting notices, draft announcements, etc.,
related to the effort. NIST will be sending out a LIMITED NUMBER
of hard copies, but due to the substantial expense of sending out
such a large document - even at book rate, we would prefer people
to receive the document via electronic means. Therefore, by
sending us your name and the names of those in your organization
who have the downloaded copies of the document, it saves us from
having to send additional hard copies.
COMMENTS:
We are soliciting TECHNICAL, SUBSTANTIVE comments on the document. The
deadline for comments is March 31, 1993. All those who contribute substantive
comments will be invited to a two-day workshop at the end of April 1993 to
resolve the comments. The workshop will be held in the Washington-Baltimore
area in a to-be- announced location.
Please send your comments to:
lynch@csmes.ncsl.nist.gov
or, if you prefer, you can send us a 3.5" or 5.25" diskette in
MSDOS or UNIX format (please indicate which) to:
Federal Criteria Comments
ATTN: Nickilyn Lynch
NIST/CSL, Bldg 224/RM A241
Gaithersburg, MD 20899
We would prefer to receive electronic copies of comments and/or name
registrations, but we will also receive hardcopy comments/name registrations
at this same address. You can also contact us via the following fax:
FAX: (301) 926-2733
Thank you in advance for your interest in this effort.
Federal Criteria Group, National Institute of Standards and Technology

Computers, Security and the Law

<kimble@minster.york.ac.uk>Sat, 30 Jan 93 16:14:27

The University of York in the UK is running a two day conference on Computers,
Security and the Law that may be of interest to the readers of COMP.RISKS.
The programme for the conference follows. If you do not think this is a
suitable place for this but know of somewhere that is perhaps you could
forward it or let me know and I will do so.
FINAL PROGRAMME.
COMPUTERS: SECURITY AND THE LAW
31 March - 1 April 1993
The conference will be run by the Department of Computer Science in
association with the Society for Computers & Law and the Licensing Executives
Society .
The aim of the conference is to highlight some of the important legal issues
that surround the use, and abuse, of computer technology in a way that should
be accessible to the non-specialist, such as lawyers or computer scientists.
The target audience for the conference is senior management and those in both
public and private sector organisations who wish to improve their knowledge
about the legal aspects of buying, using or creating computer related products
and services. The conference will be of interest to the police, the civil
service, banks, insurance and building societies.
The programme will take place over two consecutive days. The first day will
deal with the legal aspects of intellectual property rights, copyright and
contract law as it relates to computer products and services. The second day
will deal with the topics of computer crime and its prevention, security, data
protection and privacy.
The conference dinner will be a Medieval Banquet at St William's College
(founded in 1461). The keynote speaker will be Emma Nicholson, MP.
Proceedings of the conference will be published and be available to
participants after the conference.
REGISTRATION AND FEES:
Delegates will be able to register for either of the two days
separately if they wish. Fees: #275 for full conference, #165 for
single day; a discount is available for early booking by 19th
February 1993. (See application form for further details.
PROGRAMME: DAY ONE
0930 - 0950 Registration
0950 - 1000 Introduction. Chair: Dr Keith C Mander, Head of
Department of Computer Science, University of York.
1000 - 1030 Overview of law relating to Intellectual Property
Rights. Speaker: David Stanley, Licensing
Executives Society.
Copyright Law, The Patent Law, The Law of Confidence, The Law of
Designs, Trade Marks, Semiconductor regulations.
1030 - 1115 Intellectual Property Rights as they apply to
computers. Speaker: John Sykes, Licensing
Executives Society.
Hardware, software and firmware. Back-up copies, "Look and feel" - the limits
to copyright protection, work created on a computer, work generated by a
computer.
1145 - 1230 Acquisition of computers 1. Speaker: Geoff Allan,
Independent Computer Consultant.
How does the acquisition process work?; documents involved - Invitation to
Tender, Proposal, Specification; what are the legal ramifications and
importance of these documents?
1415 - 1500 Acquisition of computers 2. Speaker: Dai Davis,
Society for Computers & Law.
The legal issues in acquisition contracts; payment triggers; bespoke
software - escrow agreements, maintenance agreements.
1500 - 1545 Facilities Management Contracts. Speaker: Jane
Rawlings, Society for Computers & Law.
What is facilities management?; types of arrangements available;
issues - software licensing and performance; response time,
availability, confidentiality, employment, security and computer
crime.
1615 - 1700 Review and discussion: a plenary session.
1900 - 2200 Conference Dinner: Keynote Speaker: Emma Nicholson, MP.
PROGRAMME: DAY TWO
0930 - 0950 Registration
0950 - 1000 Introduction. Chair: Dai Davis, Society for
Computers & Law.
1000 - 1045 Computer crime. Speaker: to be announced on the day.
Types of computer fraud, unauthorised access,, unauthorised modification,
conspiracy to defraud, blackmail, fraud as theft, other offences.
1045 - 1130 "The Monday morning syndrome". Speaker: Dennis Jackson,
Computer Security Consultant, Staffordshire County Council.
The story of a real intrusion to a computer system and its world-wide
ramifications.
1200 - 1245 Computer crime (Damage to programs or data).
Speaker: Dr Jan Hruska, Sophos Ltd.
What is a virus?; criminal damage; reckless damage; blackmail, common viruses.
1400 - 1445 Data Protection Act, Security & Privacy. Speaker:
Dr J N Woulds, Senior Assistant Registrar, Office of
the Data Protection Registrar.
Overview and Principles of the Act, legal requirements and
constraints on computer users, supervision by the Registrar.
1445 - 1530 Security techniques. Speaker: John A Clark, CSE
Lecturer in Safety Critical Systems, University of York.
Physical, logical and procedural security; authentication and access control;
accounting and intrusion detection; communications security; evaluation.
1530 - 1600 Review and discussion: a plenary session.
1600 Tea and depart.
FURTHER DETAILS FROM:
Conference Organiser: Francoise Vassie
Centre for Continuing Education
King's Manor, York, YO1 2EP
The University of York
Tel 0904 433900 Fax 0904 433906
or
E-Mail KIMBLE@UK.AC.YORK.MINSTER